def Run(self, args):
result = self.iam_client.projects_serviceAccounts_keys.Get(
self.messages.IamProjectsServiceAccountsKeysGetRequest(
name=iam_util.EmailAndKeyToResourceName(
args.iam_account, args.key),
publicKeyType=iam_util.PublicKeyTypeFromString(args.type)))
files.WriteFileOrStdoutContents(args.output_file,
content=result.publicKeyData,
binary=True)
log.status.Print('written key [{0}] for [{2}] as [{1}]'.format(
args.key, args.output_file, args.iam_account))
def Run(self, args):
response = self.iam_client.projects_serviceAccounts.SignBlob(
self.messages.IamProjectsServiceAccountsSignBlobRequest(
name=iam_util.EmailToAccountResourceName(args.iam_account),
signBlobRequest=self.messages.SignBlobRequest(
bytesToSign=self.ReadFile(args.input))))
files.WriteFileOrStdoutContents(args.output,
content=response.signature,
binary=True)
log.status.Print(
'signed blob [{0}] as [{1}] for [{2}] using key [{3}]'.format(
args.input, args.output, args.iam_account, response.keyId))
def Run(self, args):
if (args.plaintext_file == '-'
and args.additional_authenticated_data_file == '-'):
raise exceptions.InvalidArgumentException(
'--plaintext-file',
'--plaintext-file and --additional-authenticated-data-file cannot '
'both read from stdin.')
try:
# The Encrypt API limits the plaintext to 64KiB.
plaintext = self._ReadFileOrStdin(args.plaintext_file,
max_bytes=65536)
except files.Error as e:
raise exceptions.BadFileException(
'Failed to read plaintext file [{0}]: {1}'.format(
args.plaintext_file, e))
aad = None
if args.additional_authenticated_data_file:
try:
# The Encrypt API limits the AAD to 64KiB.
aad = self._ReadFileOrStdin(
args.additional_authenticated_data_file, max_bytes=65536)
except files.Error as e:
raise exceptions.BadFileException(
'Failed to read additional authenticated data file [{0}]: {1}'
.format(args.additional_authenticated_data_file, e))
if args.version:
crypto_key_ref = flags.ParseCryptoKeyVersionName(args)
else:
crypto_key_ref = flags.ParseCryptoKeyName(args)
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysEncryptRequest(
name=crypto_key_ref.RelativeName())
req.encryptRequest = messages.EncryptRequest(
plaintext=plaintext, additionalAuthenticatedData=aad)
resp = client.projects_locations_keyRings_cryptoKeys.Encrypt(req)
try:
files.WriteFileOrStdoutContents(args.ciphertext_file,
resp.ciphertext,
binary=True,
overwrite=True)
except files.Error as e:
raise exceptions.BadFileException(e)
def Run(self, args):
if (args.ciphertext_file == '-'
and args.additional_authenticated_data_file == '-'):
raise exceptions.InvalidArgumentException(
'--ciphertext-file',
'--ciphertext-file and --additional-authenticated-data-file cannot '
'both read from stdin.')
try:
# The Encrypt API has a limit of 64K; the output ciphertext files will be
# slightly larger. Check proactively (but generously) to avoid attempting
# to buffer and send obviously oversized files to KMS.
ciphertext = self._ReadFileOrStdin(args.ciphertext_file,
max_bytes=2 * 65536)
except files.Error as e:
raise exceptions.BadFileException(
'Failed to read ciphertext file [{0}]: {1}'.format(
args.ciphertext_file, e))
aad = None
if args.additional_authenticated_data_file:
try:
# The Encrypt API limits the AAD to 64KiB.
aad = self._ReadFileOrStdin(
args.additional_authenticated_data_file, max_bytes=65536)
except files.Error as e:
raise exceptions.BadFileException(
'Failed to read additional authenticated data file [{0}]: {1}'
.format(args.additional_authenticated_data_file, e))
crypto_key_ref = flags.ParseCryptoKeyName(args)
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysDecryptRequest(
name=crypto_key_ref.RelativeName())
req.decryptRequest = messages.DecryptRequest(
ciphertext=ciphertext, additionalAuthenticatedData=aad)
resp = client.projects_locations_keyRings_cryptoKeys.Decrypt(req)
try:
files.WriteFileOrStdoutContents(args.plaintext_file,
resp.plaintext,
binary=True,
overwrite=True)
except files.Error as e:
raise exceptions.BadFileException(e)
def Run(self, args):
result = self.iam_client.projects_serviceAccounts_keys.Create(
self.messages.IamProjectsServiceAccountsKeysCreateRequest(
name=iam_util.EmailToAccountResourceName(args.iam_account),
createServiceAccountKeyRequest=
self.messages.CreateServiceAccountKeyRequest(
privateKeyType=iam_util.KeyTypeToCreateKeyType(
iam_util.KeyTypeFromString(args.key_file_type)))))
# Only the creating user has access. Set file permission to "-rw-------".
files.WriteFileOrStdoutContents(
args.output, content=result.privateKeyData, binary=True, private=True)
log.status.Print(
'created key [{0}] of type [{1}] as [{2}] for [{3}]'.format(
iam_util.GetKeyIdFromResourceName(result.name),
iam_util.KeyTypeToString(result.privateKeyType),
args.output,
args.iam_account))
def Run(self, args):
key_ref = resources.REGISTRY.Parse(
args.key,
collection='iam.projects.serviceAccounts.keys',
params={
'serviceAccountsId': args.iam_account,
'projectsId': '-'
})
key = key_ref.keysId
result = self.iam_client.projects_serviceAccounts_keys.Get(
self.messages.IamProjectsServiceAccountsKeysGetRequest(
name=key_ref.RelativeName(),
publicKeyType=iam_util.PublicKeyTypeFromString(args.type)))
files.WriteFileOrStdoutContents(args.output_file,
content=result.publicKeyData,
binary=True)
log.status.Print('written key [{0}] for [{2}] as [{1}]'.format(
key, args.output_file, args.iam_account))